Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
  • 8 commits
  • 6 files changed
  • 0 commit comments
  • 1 contributor
View
1  src/inc/lib.h
@@ -12,6 +12,7 @@ void* memcpy(void *dest, void *src, unsigned int count);
void* memset(void *dest, char val, unsigned int count);
short* memsetw(short *dest, short val, unsigned int count);
int strlen(char *str);
+int strnlen(char *str, unsigned int size);
char* strchr(const char *str, int c);
char* strrchr(const char *str, int c);
int strcmp(char *s1, char *s2);
View
1  src/inc/param.h
@@ -29,6 +29,7 @@ typedef unsigned int uint;
#define NINDBLK (BLK/sizeof(ushort))
#define MAX_FILESIZ ((7+NINDBLK+NINDBLK*NINDBLK)*BLK)
+#define MAX_PATHSIZ PAGE
#define NULL ((void*)0)
#define NUL 0
View
20 src/kern/sys2.c
@@ -27,7 +27,15 @@ int sys_access(struct trap *tf){
struct inode *ip;
int r;
- r = vm_verify(path, strlen(path)+1);
+ if (vm_verify(path, MAX_PATHSIZ) < 0) {
+ syserr(EFAULT);
+ return -1;
+ }
+
+ if (strnlen(path, MAX_PATHSIZ) == MAX_PATHSIZ) {
+ syserr(ENAMETOOLONG);
+ return -1;
+ }
ip = namei(path, 0);
if (ip==NULL) {
@@ -43,7 +51,15 @@ int sys_open(struct trap *tf){
int mode = tf->edx;
int r;
- r = vm_verify(path, strlen(path)+1);
+ if (vm_verify(path, MAX_PATHSIZ) < 0) {
+ syserr(EFAULT);
+ return -1;
+ }
+
+ if (strnlen(path, MAX_PATHSIZ) == MAX_PATHSIZ) {
+ syserr(ENAMETOOLONG);
+ return -1;
+ }
return do_open(path, flag, mode);
}
View
6 src/lib/string.c
@@ -35,6 +35,12 @@ int strlen(char *str){
return sp-str;
}
+int strnlen(char *str, unsigned int len){
+ char *sp;
+ for (sp=str; *sp != '\0' && sp <= str+len; sp++);
+ return sp-str;
+}
+
char* strcpy(char *dst, const char *src) {
char *tmp = dst;
while (*dst++ = *src++);
View
12 src/mm/vm.c
@@ -93,8 +93,14 @@ int vm_renew(struct vm *vm, struct ahead *ah, struct inode *ip){
* pointer, on writing a write protected page, x86 do not raise
* a page fault in ring0, so simulate a write only access as
* what mmu does if nessary.
- * note: only use this routine before writing, be aware that do
- * not touch kernel memory.
+ *
+ * note:
+ * be aware that do NOT touch the memory in the second argument
+ * like `vm_verify(path, strlen(path) + 1)`, which is a bug
+ *
+ * note2:
+ * use this routine only before reading and writing the
+ * user memory.
* */
int vm_verify(uint vaddr, uint size){
struct pde *pgd;
@@ -106,7 +112,7 @@ int vm_verify(uint vaddr, uint size){
if (vaddr<KMEM_END || size<0) {
return -1;
}
- // special case on checking string.
+ // TODO: special case on checking string.
for (page=PG_ADDR(vaddr); page<=PG_ADDR(vaddr+size-1); page+=PAGE) {
pte = find_pte(cu->p_vm.vm_pgd, page, 1);
if ((pte->pt_flag & PTE_P)==0) {
View
6 usr/libsys/string.c
@@ -35,6 +35,12 @@ int strlen(char *str){
return sp-str;
}
+int strnlen(char *str, unsigned int len){
+ char *sp;
+ for (sp=str; *sp != '\0' && sp < str+len; sp++);
+ return sp-str;
+}
+
/* ------------------------------------------------------ */
char* strcpy(char *dst, const char *src) {

No commit comments for this range

Something went wrong with that request. Please try again.